SECURITY AND DATA PRIVACY CONTROLS - ADDENDUM

Last Updated: March 12, 2024

1. Definitions.

“Addendum” means the terms herein, which collectively form an amendment to the Agreement.  

“Agreement” means written agreement(s) between Stericycle and Supplier where Stericycle has engaged Supplier to provide services, software, and/or other solutions.

“Data Security Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Data Subject” means an identified or identifiable natural person[s] whose personal data is being collected, stored, or processed.

“Personal Data” means any information related to an identified or identifiable natural person. This may include, personally identifiable information which means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.  Further, Personal Data is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which a company or person intends to identify specific individuals in conjunction with other data elements (i.e., indirect identification), which may include a combination of gender, race, birth date, geographic indicator, and other descriptors. Additionally, information permitting the physical or online contacting of a specific individual is the same as Personal Data. Personal Data can be maintained or transmitted in either paper, electronic or other media.

“Stericycle Information” means collectively, (a) all information and data relating to, or provided by, Stericycle or its affiliates, and (b) all information and data accessed, acquired, handled or stored by Supplier or its affiliates from Stericycle or its affiliates, or otherwise as a result of the Agreement, the Services, the Products and/or the parties’ performance under or in connection with the Agreement. Stericycle Information includes any Personal Data (as defined below) disclosed by, or on behalf of, Stericycle or its affiliates to Supplier or its affiliates. 

“Supplier” means the vendor, services provider, software provider or solutions provider that has entered into an Agreement with Stericycle.

2. Only authorized Supplier personnel, who have a legitimate business need to perform Supplier’s obligations under the Agreement, shall be provided access to Stericycle Information and such access shall be limited to such parts of the Stericycle Information as is strictly necessary for performance of its duties under the Agreement. Supplier shall implement all measures reasonably necessary to ensure that its personnel are informed of the confidential nature of Stericycle Information and comply with the obligations set out herein, including providing its personnel with the necessary training so that such persons can correctly, lawfully and safely process Stericycle Information. Supplier represents and warrants that it satisfies the following basic security requirements and covenants that it will continue to satisfy the following basic security requirements for so long as it is in possession of any Stericycle Information. Supplier:

a. Installs and maintains a working network firewall to protect data accessible via the Internet.

b. Centrally manages security patches and maintains deployment of patches within a documented reasonable timeframe.     

c. Maintains change control management, including protocols on the installation of and execution of software in production.

d. Encrypts data in transit and at rest for systems processing or storing Stericycle information using modern industry standard encryption methodologies.

e.  Uses and regularly updates anti-virus software.

f.  Does not use supplier-supplied defaults for system passwords and other security parameters.

g. Mandates the use of “strong passwords” on all systems where Stericycle Information is stored, accessed or processed. Strong passwords should be at least 8 characters long and combination of upper case, lower case, and alphanumeric characters.

h. Regularly tests and performs independent audits of privacy and information security for systems and processes.

i.  Maintains a policy that addresses information security for employees, customers, and suppliers.

j. Restricts access to data in accordance with internal policies that incorporate the “need-to-know” and “least privilege” concepts, which are common industry standards.

k. Implements multi-factor authentication for all individual(s) accessing Stericycle data.

l. Assigns a unique ID, and tracks access, to each person with computer access to Stericycle data and prohibits sharing of user accounts.

m. Assigns privileged accounts to qualified users with Unique IDs and will tightly control and monitor such accounts.

n. Restricts physical access to systems containing Stericycle Information.

o. Restricts remote access to the entire network and employs remote access controls to verify the identity of users connecting.

p. Maintains and provides to Stericycle documented business continuity plans of Supplier and upon request provides evidence of annual testing cadence and results.

q. Maintains a written incident response plan to promptly respond to, and recover from, any security event affecting the confidentiality, integrity, or availability of Stericycle data or systems. Performs an independent vulnerability assessment annually using a reputable third party and provide evidence of such when requested.

r. Protects on-site and off-site backups from unauthorized access during transit and storage (including, without limitation, storing off-site backups in a bank safety deposit box, at a minimum, or at a data management storage facility under contract with a data retention supplier).

In the event that Supplier needs to revert any data to a backup for the purposes of disaster recovery, all Stericycle Information contained in the backup that is required to be deleted pursuant to this Addendum or the Agreement will be deleted or overwritten within 24 hours.

3. Supplier represents and warrants that it satisfies the following information security requirements and covenants that it will continue to satisfy the following information security requirements for so long as it is in possession of any Stericycle Information.

a. Supplier shall comply with all applicable privacy and data protection laws and regulations for so long as Supplier possesses, has access to, uses, stores, processes, transfers or otherwise handles Stericycle Information.

b. Supplier understands the requirements of confidentiality, integrity, and availability for the Personal Data Supplier processes as well as ensuring Supplier can restore access to the Personal Data in the event of any Data Security Breach.

c. Supplier regularly assesses the risks presented by its processing of Personal Data and takes into account the state of the art and costs of implementation when determining appropriate level of security to have in place.

d. Upon Stericycle’s request, Supplier shall enter into appropriate data transfer agreements with Stericycle as needed and as mutually agreed upon to satisfy cross-border transfer obligations relating to Personal Data (as defined above), such as the EU Standard Contractual Clauses between Data Controllers and Data Processors, or other similar agreements relating to other countries. Supplier shall take any other steps to assist in complying with any notification, registration or other obligations applicable to Supplier or any of its affiliates under Privacy Laws (as defined below), with respect to processing of Stericycle Information under the Agreement.  For purposes of this Addendum, (i) “Stericycle Data” means that portion of the data of Stericycle or that is in Stericycle’s possession that is subject to any Privacy Laws and (ii) “Privacy Laws” mean laws in any applicable jurisdiction that relate to (1) confidentiality, collection, use, handling, processing, security, protection, transfer or free movement of Personal Data or customer information, (2) electronic data privacy, (3) trans-border data flow or (4) data protection.

e.  In the case of a Data Security Breach, the Supplier shall, without undue delay, and in any event, within 24 hours from the Supplier becoming aware of any such incident, notify Stericycle of the Data Security Breach. To the extent that the Supplier has access to such information at the time of the notification, such notification shall include:

    i. a description of the nature of the Data Security Breach, including without limitation, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Stericycle Data records concerned,

    ii. a description of the likely consequences of the Data Security Breach, and

    iii. a description of the measures proposed to be taken by the Supplier to address the Data Security Breach (provided it will only implement such measures on the instruction of Stericycle), including, where appropriate, measures to mitigate its possible adverse effects.

Where, but only to the extent that it is not possible to provide such information at the same time of the notification of the Data Security Breach, the information may be provided at a later time but in any event shall be provided as soon as reasonably practicable and in sufficient time to enable Stericycle to meet the requirements of applicable data protection laws.

4.  Supplier represents and warrants that it satisfies the following assessment and audit requirements and covenants that it will continue to satisfy the following assessment and audit requirements for so long as it is in possession of any Stericycle Information.

a. If requested by Stericycle, Supplier will, at its own expense, undergo an initial security assessment by Stericycle, including the completion of a risk assessment questionnaire provided by Stericycle.  

b. Stericycle reserves the right to periodically assess the systems that Supplier uses to store Stericycle Information, upon prior written notice to Supplier and during Supplier’s normal business hours; provided, that, no more than one such assessment shall be made during any 12 month period during the term of the Agreement; provided, however, that the foregoing restriction will not apply (a) if such assessment reveals material discrepancies, or (b) in the event of any security breach related to or in connection with Stericycle Information.

c. Stericycle reserves the right to audit the outsourced service managed by the Supplier, whenever the need arises. Stericycle’s right to audit will also be extended to the Supplier’s subcontractors that provide any Services under the Agreement. An independent review may be performed at Stericycle’s request based on the criticality of the outsourced service’s impact to Stericycle business operations, or when the Supplier refuses to provide relevant/applicable SSAE 16 Type 1, SOC II reporting. An independent reviewer, such as an external auditor, may be engaged to perform a security assessment on the service.

d. Stericycle will monitor activities by the Supplier on a periodic basis.  Supplier is required to provide relevant security compliance, certification reporting as requested.  Examples are SSAE 16, Type II, ISO 27001 certificate, PCI-DSS certification, etc. These artifacts should be provided when completed, or on an annual basis, at a minimum.

e. If Supplier obtains, creates, generates, collects, has access to or processes Personal Information that is  subject to any Privacy Laws, then Supplier must, at their own expense, agree to participate in Stericycle disaster recovery or cyber incident response exercises.

5. Supplier represents and warrants that it satisfies the following data transmission and retention requirements and covenants that it will continue to satisfy the following data transmission and retention requirements for so long as it is in possession of any Stericycle Information.

a. Supplier agrees to abide by Stericycle’s standards for protecting the confidentiality and integrity of data transmissions.

b. Approved mechanisms for data transmission similar to but not limited to:

     i.      Modern encrypted HTTPS with certificate-based authentication utilizing a 2048-bit (or larger) RSA public key, and 128-bit (or stronger) symmetric encryption.

    ii.      Digitally signed and encrypted S/MIME messages over HTTP or SMTP, using certificates with a 2048-bit (or larger) RSA public key, and 128-bit (or stronger) symmetric encryption.

    iii.      Digitally signed and encrypted messages utilizing industry standard encryption methodologies over a variety of transports, with 2048-bit (or larger) RSA or DH/DSS public keys, and 128-bit (or stronger) symmetric encryption

c. For all message-based encryption schemes employing digital signatures. Supplier will verify the digital signature of the message and reject messages with invalid signatures.

d. For all encryption schemes employing public key cryptography, Supplier will ensure the confidentiality of the private component of the public-private key pair and will promptly notify Stericycle in the event that the private key is compromised.

e.  Supplier will retain Stericycle Information only for as long as is necessary to perform the Services.

f. Supplier will securely delete and/or return (as determined by Stericycle) all live (online or network accessible) instances of the Stericycle Information within 30 days after completion of the Services or termination or expiration of the Agreement and provide written confirmation upon completion of deletion activities.

g. Upon Stericycle’s request, Supplier will promptly replace, regenerate, or obtain a new copy of any Stericycle data managed, handled, or stored by Supplier.

h. Prior to disposing of any hardware, media, or software (including any sale or transfer of such hardware, media, or software, any disposition in connection with any liquidation of Supplier’s business, or any other disposition) that contains, or has at any time contained, Stericycle Information, Supplier will perform a complete forensic destruction of the Stericycle Information in such hardware or software such that none of such Stericycle Information can be recovered or retrieved.  Such forensic destruction may include: (a) physical destruction, particularly incineration; or (b) secure data wipe.  

6. Prior to Supplier receiving any Personal Data, Stericycle must first review and validate Supplier’s data protection policies and standards to ensure alignment with Stericycle requirements. 

7.  Supplier acknowledges that any unauthorized disclosures or use of Stericycle Information or Personal Data would cause irreparable harm to Stericycle and that Supplier shall be liable for all expenses associated with any such unauthorized disclosure.

8. Supplier will indemnify and hold harmless Stericycle and its respective employees, agents and representatives against any and all liabilities, judgments, damages, claims, demands, costs, expenses (including reasonable attorneys’ fees) or losses, due to Supplier’s negligence, breach of warranty or failure to perform in accordance with the terms of this Addendum.  This section will survive the termination of the Agreement and this Addendum.